import datetime

from panther_base_helpers import resolve_timestamp_string

TIMEOUT_DAYS = datetime.timedelta(days=90)


def aged_out(timestamp):
    if not timestamp:
        return False
    datetime_ts = resolve_timestamp_string(timestamp)
    if not datetime_ts:
        return False
    return (datetime.datetime.now() - datetime_ts) > TIMEOUT_DAYS


def policy(resource):
    # If a user is less than 4 hours old, it may not have a credential report generated yet.
    # It will be re-scanned periodically until a credential report is found, at which point this
    # policy will be properly evaluated.
    report = resource.get("CredentialReport")
    if not report:
        return True

    if report.get("AccessKey1Active"):
        if aged_out(report.get("AccessKey1LastRotated")):
            return False
    if report.get("AccessKey2Active"):
        if aged_out(report.get("AccessKey2LastRotated")):
            return False

    return True
